Address PR #2 review comments (round 2)

- Fix grep|awk pipelines in test script to not fail under set -e
- Add --clobber to gh release upload for safe re-runs
- Skip CI on fork PRs to protect self-hosted runner from untrusted code

Author: lukekim

.github/workflows/ci.yml

@@ -15,7 +15,9 @@ env:
 jobs:
   ci:
     name: Format, lint, build, and test
-    # Self-hosted macOS runner required for CommonCrypto FFI and NAS access
+    # Self-hosted macOS runner required for CommonCrypto FFI and NAS access.
+    # Skip fork PRs to prevent untrusted code execution on self-hosted runners.
+    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: spiceai-macos
     permissions:
       contents: read

.github/workflows/release.yml

@@ -44,6 +44,6 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          gh release upload "${{ github.event.release.tag_name }}" \
+          gh release upload "${{ github.event.release.tag_name }}" --clobber \
             target/release/spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz \
             target/release/spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz.sha256

scripts/test-sccache.sh

@@ -271,8 +271,8 @@ echo "======================================="
 # ── Verify cache hits ───────────────────────────────────────────────────────
 
 STATS=$(sccache --show-stats 2>&1)
-CACHE_HITS=$(echo "$STATS" | grep -m1 "^Cache hits" | awk '{print $NF}')
-WRITE_ERRORS=$(echo "$STATS" | grep -m1 "Cache write errors" | awk '{print $NF}')
+CACHE_HITS=$(echo "$STATS" | grep -m1 "^Cache hits" | awk '{print $NF}' || echo "0")
+WRITE_ERRORS=$(echo "$STATS" | grep -m1 "Cache write errors" | awk '{print $NF}' || echo "0")
 
 echo ""
 if [[ "${CACHE_HITS:-0}" -gt 0 && "${WRITE_ERRORS:-0}" -eq 0 ]]; then